Reddit Is So Insecure, a Bored Hacker Easily Stole a Bunch of Subreddits
A hacker has been stealing and defacing seemingly random subreddits for a couple of weeks—all for shits and giggles and because he was bored.
The hacker, who goes by the name BVM, said he’s taken over so many subreddits he’s “lost count,” but estimates that the number is higher than 70. The popular r/pics,r/starwars, and r/gameofthrones, among others, have seen their homepages defaced in the last few days. BVM said that his exploits are possible thanks to Reddit’s crummy security, and its lack of two-factor authentication.
“Reddit’s security is shit.”
Why is BVM hacking these subreddits?
“No reason really. Just boredom. It’s not like it’s really a challenge or anything so I just do it to pass time,” the hacker told me in an online chat.
BVM, who declined to say anything about his real identity other than saying he is a male, also refused to say exactly how he’s taking over and defacing subreddits. But he did admit that he’s hacking into moderators’ accounts and then changing the CSS style of the pages, replacing it with a note taking responsibility.
As the hacker himself admitted, these hacks didn’t really take a lot of skill. BVM is either phishing passwords out of the mods, or bruteforcing their accounts. Given that Reddit doesn’t have two-factor authentication (2FA), the password of a mod really is the only barrier of entry to a subreddit.
“Reddit’s security is shit,” BVM told me. “If Reddit would simply add 2FA it would be a lot harder to get in.”
On the bright side, Reddit seems to be responding to these incidents quickly, restoring the subreddits. The site has “a very fast support,” according to BVM.
BVM doesn’t really put too much thought into choosing his targets. The hacker told me that he either chooses them from the top subreddits according toredditmetrics.com, or uses the site’s option to navigate to a random subreddit.
It’s unclear if Reddit is working on a solution to stop these ultimately harmless, though annoying hacks. The site did not respond to a request for comment, but we will update the post if and when they do.
UPDATE, 4:50 p.m. ET: One of the mods of r/pics who got hacked by BVM reached out to me after we published this article. The mod said that his account was breached because of password reuse. In other words, he was using the same password on Reddit as well as another service or services.
Source | MotherBoard